2. process::firewall::install(move(rules));如果有参数--firewall_rules则会添加规则

 

对应的代码如下：

1. // Initialize firewall rules.
2. if (flags.firewall_rules.isSome()) {
3.   vector<Owned<FirewallRule>> rules;
4.  
5.   const Firewall firewall = flags.firewall_rules.get();
6.  
7.   if (firewall.has_disabled_endpoints()) {
8.     hashset<string> paths;
9.  
10.     foreach (const string& path, firewall.disabled_endpoints().paths()) {
11.       paths.insert(path);
12.     }
13.  
14.     rules.emplace_back(new DisabledEndpointsFirewallRule(paths));
15.   }
16.  
17.   process::firewall::install(move(rules));
18. }

 

对应的命令行参数如下：

 

 

这个参数的主要作用为，并不是Mesos的每一个API都想暴露出来，disabled_endpoints里面就是不能访问的API。

 

上面的install的代码会做下面的事情

 

 

最终会放到环境变量firewallRules里面。

 

那这些firewall是什么事情起作用的呢？

 

在3rdparty/libprocess/src/process.cpp里面有函数

 

1. synchronized (firewall_mutex) {
2.   // Don't use a const reference, since it cannot be guaranteed
3.   // that the rules don't keep an internal state.
4.   foreach (Owned<firewall::FirewallRule>& rule, firewallRules) {
5.     Option<Response> rejection = rule->apply(socket, *request);
6.     if (rejection.isSome()) {
7.       VLOG(1) << "Returning '"<< rejection.get().status << "' for '"
8.               << request->url.path << "' (firewall rule forbids request)";
9.  
10.       // TODO(arojas): Get rid of the duplicated code to return an
11.       // error.
12.  
13.       // Get the HttpProxy pid for this socket.
14.       PID<HttpProxy> proxy = socket_manager->proxy(socket);
15.  
16.       // Enqueue the response with the HttpProxy so that it respects
17.       // the order of requests to account for HTTP/1.1 pipelining.
18.       dispatch(
19.           proxy,
20.           &HttpProxy::enqueue,
21.           rejection.get(),
22.           *request);
23.  
24.       // Cleanup request.
25.       delete request;
26.       return;
27.     }
28.   }
29. }